Big services for small clients
Windows Server 2008 covers another flavor of virtualization in the form of Terminal Services. A mainstay of Windows Server, the big news in this release is its HTTPS tunnel, or Terminal Services Gateway. Edge security often blocks inbound access to the TCP ports needed by Terminal Services. The Terminal Services Gateway allows remote clients normally blocked by firewalls to access Terminal Services, without the hassle of VPN, but with full security and auditing.
Terminal Services Gateway will undoubtedly get played by competitors as an exploitable backdoor, but it's a much smarter way to control user access (internal as well as external) to network services. Terminal Services Gateway requires the application of Remote Access Policies (RAP) that define and enforce the characteristics of clients permitted access to Terminal Services, and remote services in general. A client that doesn't meet RAP's health tests and policies, such as a notebook that's plugged into your network by an internal hacker, can't get in through Terminal Services or any other means. Period.
Seriously? Absolutely. BitLocker local disk encryption can be defined as an enforced remote access policy. Users like encryption for privacy, but IT will love BitLocker. It uses a client system's Trusted Platform Module (TPM) to create a file access authentication path that users cannot bypass, even if they boot from a nonencrypted drive or overwrite the boot blocks on the local drive. If policies allow users to work with local copies of sensitive files, the TPM can ensure that files are unreadable away from the network, and they can't be copied to removable media.
More to the point, if you have a lapse in security that allows a user inside the firewall to suck in a database of customer information, when they get their client home they won't be able to read the files they've stolen. All access to Windows Server 2008 is revocable at the user, client computer, or group level. To absolutely, positively terminate employees' or contractors' network access, and access to locally stored files, the administrator need only create and distribute a new certificate. This is one of many simple ways to change the locks in Windows Server 2008.
This, too, will raise the hackles of those who don't like the idea of systems that users can't control, but they should know that BitLocker and RAP do not preclude the use of other operating systems, and they can be undone by someone with administrative privileges (another reason to extend these sparingly). Used properly, RAP, TPM, and BitLocker can obviate the necessity for client-side security agents and hardware such as USB crypto keys.
Windows Server 2008 enhances network security in other ways as well. Tunneling is implemented in several Windows network services, and can be extended to any application through socket sharing. Several applications, even applications that use different protocols, can listen on a single TCP socket. Traffic analysis routes packets to the appropriate application, and port sharing doesn't interfere with load balancing.
The potential for OS-level tunneling becomes evident when many guest OS instances are run on a single physical host. The Windows Server 2008 host acts as a gateway and load balancer. Tunneling may allow guests to share one TCP port such that one heavily monitored HTTPS socket might be the only direct access a virtual host has to the outside world. I haven't tested this to see if it's a feature in the current release, but I see this as tunneling's greatest potential use.
With or without tunneling, Terminal Services has grown from a convenience to a necessity. Remote Desktop Protocol version 6 and 6.1 are bundled with Vista, and count among the many new Windows Server 2008 features that roll out a red carpet for Vista clients. In the recent past, I have taken the position that IT shouldn't be forced into Vista. After working Vista with Windows Server 2008, especially Terminal Services, I have reversed my position. As you migrate from Windows Server 2003 to 2008, upgrade your clients as well.